Will the U.S. government draft cybersecurity professionals?

A Congressional commission might soon recommend conscription of cybersecurity professionals to serve in both the military and civil service.

Will there be a giant sucking sound of cybersecurity talent evading the draft by moving to Canada?

The National Commission on Military, National and Public Service, created by Congress, is currently evaluating the Selective Service System (SSS) with an eye toward modernizing the draft, including the possibility of conscripting cybersecurity professionals.

"Part of that discussion," Jacob Daniels, a legislative liaison at the SSS, tells CSO by email, "has involved a 'skills draft' where our agency would ask experts on certain subject matters to register with Selective Service. The types of professionals that have been referenced in these discussions include healthcare professionals and cybersecurity experts. The Commission will report its findings and recommendations to Congress in March of 2020."

"That said," Daniels adds, "Congress is not bound by any of the findings or recommendations made by the Commission."

Whoever came up with this idea has been huffing paint.— Dan Tentler

The idea is about as popular among hackers as you might think. "Whoever came up with this idea has been huffing paint," Dan Tentler, founder of attack simulation consultancy Phobos, tells CSO.

The future of the draft

"The feasibility and advisability of modifying the military selective service process in order to obtain for military, national, and public service individuals with skills (such as medical, dental, and nursing skills, language skills, cyber skills, and science, technology, engineering, and mathematics (STEM) skills) for which the Nation has a critical need, without regard to age or sex."

Conscripting workers with specialized skills, including cybersecurity experts, is under formal discussion in Washington, and the latest Executive Order from the White House contains language that suggests the idea is being taken seriously. "United States Government policy must facilitate the seamless movement of cybersecurity practitioners between the public and private sector," the EO says, "maximizing the contributions made by their diverse skills, experiences, and talents to our Nation."

The M.A.S.H. precedent

Conscripting highly skilled workers is not new. The U.S. government drafted doctors and nurses during the Korean War (think M.A.S.H.) and continues to reserve the right to conscript medical professionals in times of war. Current Selective Service rules can conscript medical professionals as old as age 44 — and even older, in some cases.

Times have changed, though, and a similar attempt today to draft doctors or cybersecurity professionals would likely meet with resistance.

Some Members of Congress are arguing to do away with the Selective Service, the agency that runs the draft. Others say the draft should include both women and men. Currently, all men age 18 to 26 must register for the draft. Earlier this year a court ruled that forcing only men to register for the draft was unconstitutional but did not order the Selective Service to start registering women as well. The Commission's findings will almost certainly address the issue.

Don't say the word "draft"

In Congressional testimony last week, witnesses from U.S. Army Cyber Command and the Department of Defense bent over backwards to avoid using the words "draft" or "conscription," preferring instead to propose new recruitment and retention efforts to obtain the personnel with the right cybersecurity skills.

One of the key goals under discussion is the ability to recruit and promote mid-career experts who might be in their thirties, forties or even older — and commission them in ranks as high as O-6 (Captain in the Navy, Colonel in the other services). The result, one witness said, meant a "Michelin Man" shaped military going forward, with an age and experience bulge in the middle.

Traditionally, the military has been pyramid-shaped — large numbers of the young and less-skilled at the bottom doing most of the fighting, with a sharp ascension in years and skill as military personnel move up the ranks. However, in a cyber conflict, older, more experienced cybersecurity experts may well be on the front lines.

"The future military may need more personnel in the middle years of experience because of the technical nature of operations (a 'Michelin man' profile), versus the pyramid shape the military now assumes," David S.C. Chu of the Institute for Defense Analyses wrote in submitted testimony. "Only by drawing from the private sector could such a distribution be achieved."

"SWAT teams of nerds"

U.S. Army Cyber Command wants to deploy more experienced security practitioners to modernize and secure the military information systems, Nicole Camarillo, executive director, talent acquisition and management strategy U.S. Army Cyber Command, told Congress.

"In addition to improving technology inside the Pentagon, SWAT teams of nerds are deployed globally to combatant commands in support of the warfighter and our global defense networks," Camarillo said in written testimony.

Finding ways to enable security professionals to move laterally into and out of the uniformed services is part of the stated goal to fill those SWAT teams with motivated nerds. The staff memorandum on military service, circulated prior to the hearing this week, calls on the government to "build new pipelines to military service," and to "facilitate a 'continuum of service' between the military and private sector."

The military clearly prefers to offer recruiting and promotion incentives to acquire the cybersecurity talent they want, but it remains unclear how they can compete with private sector salaries, or for the growing ranks of talent who were raised on the Snowden revelations and object on principle to working for the U.S. military, intelligence agencies, or the military-industrial complex. The commission does not specifically acknowledge the repercussions of the Snowden revelations on recruitment of cybersecurity professionals, but many witnesses lamented the growing cultural divide between civilians and the military, with some fretting over the de facto emergence of a "warrior class" in American society.

The latter may be the biggest hurdle to overcome, and the commission proposes to solve the problem with greater marketing aimed at America's youth, including more base field trips, expanded youth cadet programs like JROTC, and establishing "a pilot program to solicit innovative approaches to branding and marketing" military service to potential recruits.

If the idea of moving to Canada to evade a draft sounds appealing, remember the global cybersecurity skills shortage has impacted our chilly northern neighbor, too. Security professionals won't struggle to find a job and a visa to go with it.

For his part, that's what security expert Robert Graham of Errata Security says he'd do if there was a draft. "Move to Canada," he tells CSO. "That's not a draft. That's slavery."

This story, "Will the U.S. government draft cybersecurity professionals?" was originally published by
CSO.